DotW: Can I Obtain the CVE in the PA event Log?

DotW: Can I Obtain the CVE in the PA event Log?

0
Created On 09/25/18 18:55 PM - Last Modified 07/19/22 23:09 PM


Resolution


This week's Discussion of the Week (DotW) covers a question from the Live Community that comes up from time to time,

Can I Obtain the CVE in the PA event Log?

 

User "Chuck555555" posed this question to the Live Community, where other members have chimed in to assist.

User "Rcole" was able to provide part of the answer, but I will expand upon what was listed with more detailed information.

 

Inside the Threat Logs, which are found inside the WebGUI > Monitor > Threat.

Here are 2 screenshots from PAN-OS versions 6.1 and 7.1:

2016-05-16_dotw1.pngView of PAN-OS 6.1 Threat logs

2016-05-16_dotw2.pngView of PAN-OS 7.1 Threat logs

Inside the Threat logs above, in order to get more detailed information from the logs, most users will click on the magnifying glass (#1 orange in the pics above), which displays the following information:

 

Note: We'll show the PAN-OS 7.1 screens unless there is a difference, at which time I'll show both versions.

2016-05-16_dotw3.pngThreat log detail (by clicking on the magnifying glass)

The only problem with this view is that there is no CVE information from this screen.  But you can see the Threat ID,  which is 32880. I can show you later in this article that you can use the Threat ID and obtain more information by using the Threat Vault.

 

In order to see more information directly from the Threat logs about the Threat itself,  click on the Threat name (#2 in the screen captures above) which will bring you to the Threat Details window. Inside this window you can see the Threat ID # and the CVE number, if available, because not all threats that we alert on will have a CVE # associated with it. 

You can also see Exempt profiles as well as any Exempt IP Addresses, if configured for this Threat.

2016-05-16_dotw4.pngThreat Details window showing the Threat ID as well as the CVE # if available.

Again, not every threat listed will contain a CVE numer. So, if no number is not listed, then no number is associated with the threat.

 

As previously stated, if you have the threat ID, and want to get more information about this threat, visit the new Threat Vault, located here: https://threatvault.paloaltonetworks.com/

 

At this site, you can search on every aspect, name, address, threat ID or CVE number.

I will show you this site, and let's take that number from earlier, Threat ID 32880.

2016-05-16_dotw5.pngThreat Vault screen showing the Threat ID, CVE as well as the protection # that this threat is covered in.

To obtain more information about this threat, click on the threat name.  This window shows similar but more detailed information from the main Threat Vault screen.

2016-05-16_dotw6.pngThreat Vault Signature Details screen showing Threat ID, CVE number, what update protects from this threat and more detailed description.

This way, you will be able to use the Threat logs and obtain as much detailed information on every threat you see in your logs.

 

View the entire discussion for this article at

Can I Obtain the CVE in the PA event Log?

 

Thanks for reading. We hope you come back every week for more information!

 

As always, we welcome all comments, suggestions and questions below in the comments section.

 

Did you learn something here? Let me know.

Joe Delio (jdelio)
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRsCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail